yawast - The YAWAST Antecedent Web Application Security Toolkit

YAWAST is an application meant to simplify initial analysis and information gathering for penetration testers and security auditors. It performs basic checks in these categories:

TLS/SSL - Versions and cipher suites supported; common issues.

Information Disclosure - Checks for common information leaks.

Presence of Files or Directories - Checks for files or directories that could indicate a security issue.

Common Vulnerabilities

Missing Security Headers

This is meant to provide a easy way to perform initial analysis and information discovery. It's not a full testing suite, and it certainly isn't Metasploit. The idea is to provide a quick way to perform initial data collection, which can then be used to better target further tests. It is especially useful when used in conjunction with Burp Suite (via the --proxy parameter). Installing The simplest method to install is to use the RubyGem installer: gem install yawast This allows for simple updates ( gem update yawast ) and makes it easy to ensure that you are always using the latest version. YAWAST requires Ruby 2.2+, and is tested on Mac OSX and Linux (Windows should work; please open a ticket if you have issues). Kali Rolling To install on Kali, just run gem install yawast - all of the dependentcies are already installed. Ubuntu 16.04 To install YAWAST, you first need to install a couple packages via apt-get :

sudo apt-get install ruby ruby-devsudo gem install yawast

Mac OSX The version of Ruby shipped with Mac OSX 10.11 is too old, so the recommended solution is to use RVM:

This version is more limited than the SSL Labs option, though will work in cases where SSL Labs is unable to connect to the target server.

SSL Labs Mode The default mode is to use the SSL Labs API, which makes all users bound by their terms and conditions , and obviously results in the domain you are scanning being sent to them. This mode is the most comprehensive, and contains far more data than the Internal Mode. Unless there is a good reason to use the Internal Mode, this is what you should use.

For detailed information, just call ./yawast -h to see the help page. To see information for a specific command, call ./yawast -h <command> for full details.

Using with Burp Suite By default, Burp Suite's proxy listens on localhost at port 8080, to use YAWAST with Burp Suite (or any proxy for that matter), just add this to the command line: --proxy localhost:8080

Authenticated Testing For authenticated testing, YAWAST allows you to specify a cookie to be passed via the --cookie parameter. --cookie SESSIONID=1234567890

Sample Using scan - the normal go-to option, here's what you get when scanning my website:

Beginning SSL Labs scan (this could take a minute or two)[SSL Labs] This assessment service is provided free of charge by Qualys SSL Labs, subject to our terms and conditions: https://www.ssllabs.com/about/terms.html..........................................

About The Output You'll notice that most lines begin with a letter in a bracket, this is to tell you how to interpret the result at a glance. There are four possible values:

[I] - This indicates that the line is informational, and doesn't necessarily indicate a security issue.

[W] - This is a Warning, which means that it could be an issue, or could expose useful information. These need to be evaluated on a case-by-case basis to determine the impact.

[V] - This is a Vulnerability, it indicates an issue that is known to be an issue, and needs to be addressed.

[E] - This indicates that an error occurred, sometimes these are serious and indicate an issue with your environment, the target server, or the application. In other cases, they may just be informational to let you know that something didn't go as planned.

The indicator used may change over time based on new research or better detection techniques. In all cases, results should be carefully evaluated within the context of the application, how it's used, and what threats apply. The indicator is guidance, a hint if you will, it's up to you to determine the real impact.